From: Dave Jones <davej@redhat.com>
To: Patrick McHardy <kaber@trash.net>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
pablo@netfilter.org
Subject: Re: [PATCH] Use unsigned variables for packet lengths in ip[6]_queue.
Date: Tue, 7 Jun 2011 10:39:24 -0400 [thread overview]
Message-ID: <20110607143924.GA5257@redhat.com> (raw)
In-Reply-To: <4DEE335C.1010504@trash.net>
On Tue, Jun 07, 2011 at 04:19:08PM +0200, Patrick McHardy wrote:
> >>> With the patch below, I haven't been able to reproduce the problem, but
> >>> I don't know if I've inadvertantly broken some other behaviour somewhere
> >>> deeper in netlink where this is valid.
> >
> > This is fine, but I'm wondering whether this can really fix the problem
> > you've been seeing. Before the packet is reallocated, the length of
> > nlmsglen - NLMSGLEN(0) - sizeof(struct ipq_peer_msg) is compared to
> > ipq_peer_msg->data_len, so both values need to be wrong.
> > ipq_peer_msg->data_len is a size_t, so it's unsigned.
> >
> > I think what we should additionally do is verify that data_len < 65535
> > since that's the maximum size of an IP packet.
>
> We're actually already doing this. This makes it even more strange that
> you're seeing this problem. Could you send me your testcase?
I don't have a standalone test-case, just a generic fuzzing tool that passes
sockets to various syscalls. You can clone it from git://git.codemonkey.org.uk/trinity.git/
(the test-random.sh should explain how to use it)
Dave.
next prev parent reply other threads:[~2011-06-07 14:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-20 1:42 ipqueue allocation failure Dave Jones
2011-04-20 3:41 ` David Miller
2011-04-20 5:27 ` Eric Dumazet
2011-05-28 0:36 ` [PATCH] Use unsigned variables for packet lengths in ip[6]_queue Dave Jones
2011-06-02 19:24 ` Dave Jones
2011-06-02 20:57 ` David Miller
2011-06-07 12:59 ` Patrick McHardy
2011-06-07 14:19 ` Patrick McHardy
2011-06-07 14:39 ` Dave Jones [this message]
2011-06-07 15:19 ` Patrick McHardy
2011-06-03 10:07 ` Pablo Neira Ayuso
2011-04-21 15:13 ` ipqueue allocation failure Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110607143924.GA5257@redhat.com \
--to=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.